× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a7ef1fe8196ee0391959c921d23e90483ca6a7e4495c9255046849223a7c7bee
File name: winzip20-home.exe
Detection ratio: 1 / 68
Analysis date: 2018-02-10 01:31:04 UTC ( 1 week, 5 days ago ) View latest
Antivirus Result Update
Bkav W32.HfsAdware.EF70 20180209
Ad-Aware 20180209
AegisLab 20180210
AhnLab-V3 20180209
Alibaba 20180209
ALYac 20180209
Antiy-AVL 20180210
Arcabit 20180210
Avast 20180209
Avast-Mobile 20180209
AVG 20180209
Avira (no cloud) 20180210
AVware 20180209
Baidu 20180208
BitDefender 20180209
CAT-QuickHeal 20180209
ClamAV 20180209
CMC 20180209
Comodo 20180209
CrowdStrike Falcon (ML) 20170201
Cybereason 20180205
Cylance 20180210
Cyren 20180210
DrWeb 20180210
eGambit 20180210
Emsisoft 20180210
Endgame 20171130
ESET-NOD32 20180210
F-Prot 20180210
F-Secure 20180210
Fortinet 20180210
GData 20180210
Ikarus 20180209
Sophos ML 20180121
Jiangmin 20180209
K7AntiVirus 20180209
K7GW 20180210
Kaspersky 20180210
Kingsoft 20180210
Malwarebytes 20180210
MAX 20180210
McAfee 20180210
McAfee-GW-Edition 20180209
Microsoft 20180210
eScan 20180209
NANO-Antivirus 20180210
nProtect 20180209
Palo Alto Networks (Known Signatures) 20180210
Panda 20180209
Qihoo-360 20180210
Rising 20180210
SentinelOne (Static ML) 20180115
Sophos AV 20180210
SUPERAntiSpyware 20180209
Symantec 20180209
Symantec Mobile Insight 20180209
Tencent 20180210
TheHacker 20180208
TotalDefense 20180209
TrendMicro 20180210
TrendMicro-HouseCall 20180210
Trustlook 20180210
VBA32 20180209
VIPRE 20180210
ViRobot 20180210
Webroot 20180210
WhiteArmor 20180205
Yandex 20180207
Zillya 20180209
ZoneAlarm by Check Point 20180210
Zoner 20180210
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
WinZip Computing

Product WinZip
Internal name WZDLMCore.exe
File version 1.0.220.1
Description WinZip
Signature verification Signed file, verified signature
Signing date 3:32 PM 12/28/2015
Signers
[+] WinZip Computing LLC
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign CodeSigning CA - SHA256 - G2
Valid from 3:05 PM 4/17/2015
Valid to 3:05 PM 4/17/2016
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 54D2D47D272B70B49D15FECAF31015C6203E7D2D
Serial number 11 21 D1 D8 28 6B 82 39 33 99 C8 53 E4 4F F8 AA 38 54
[+] GlobalSign CodeSigning CA - SHA256 - G2
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 8/2/2011
Valid to 11:00 AM 8/2/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
Serial number 04 00 00 00 00 01 31 89 C6 37 E8
[+] GlobalSign Root CA - R3
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 3/18/2009
Valid to 11:00 AM 3/18/2029
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha256RSA
Thumbprint D69B561148F01C77C54578C10926DF5B856976AD
Serial number 04 00 00 00 00 01 21 58 53 08 A2
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT appended, UTF-8, ZIP
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-12-28 01:58:03
Entry Point 0x000373EE
Number of sections 5
PE sections
Overlays
MD5 e23d5a0f6a2465226c3411cb86573525
File type application/zip
Offset 491008
Size 215024
Entropy 8.00
PE imports
GetTokenInformation
GetSidSubAuthority
RegCloseKey
OpenProcessToken
FreeSid
RegOpenKeyExW
AllocateAndInitializeSid
CheckTokenMembership
RegEnumKeyW
RegQueryValueExW
GetStdHandle
GetDriveTypeW
FileTimeToSystemTime
WaitForSingleObject
EncodePointer
GetFileAttributesW
SystemTimeToTzSpecificLocalTime
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
LocalAlloc
UnhandledExceptionFilter
LoadLibraryExW
FreeEnvironmentStringsW
GetLocaleInfoW
SetStdHandle
GetCPInfo
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetOEMCP
LocalFree
InitializeCriticalSection
LoadResource
FindClose
TlsGetValue
MoveFileW
GetFullPathNameW
SetLastError
GetUserDefaultUILanguage
GetSystemTime
DeviceIoControl
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
GetModuleFileNameA
LoadLibraryExA
EnumSystemLocalesW
InterlockedDecrement
MultiByteToWideChar
SetFilePointerEx
CreateThread
MoveFileExW
GetSystemDirectoryW
SetUnhandledExceptionFilter
CreateMutexW
IsProcessorFeaturePresent
DecodePointer
SetEnvironmentVariableA
TerminateProcess
GetModuleHandleExW
GetDiskFreeSpaceExW
SetEndOfFile
GetCurrentThreadId
LeaveCriticalSection
WriteConsoleW
AreFileApisANSI
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
PeekNamedPipe
GetVersionExW
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
RtlUnwind
GetFileSize
GetDateFormatW
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetProcessHeap
GetTimeFormatW
GetFileSizeEx
RemoveDirectoryW
GetFileInformationByHandle
FindNextFileW
FindFirstFileW
IsValidLocale
FindFirstFileExW
GetUserDefaultLCID
ReadConsoleW
GetTimeZoneInformation
CreateFileW
GetFileType
TlsSetValue
HeapAlloc
InterlockedIncrement
GetNativeSystemInfo
GetLastError
LCMapStringW
lstrlenA
GlobalFree
GetConsoleCP
CompareStringW
GetEnvironmentStringsW
GetUserGeoID
FileTimeToLocalFileTime
GetCurrentDirectoryW
GetCurrentProcessId
LockResource
GetCommandLineW
WideCharToMultiByte
HeapSize
GetCommandLineA
RaiseException
TlsFree
ReadFile
CloseHandle
GetACP
GetModuleHandleW
FreeResource
FindResourceExW
GetLongPathNameW
IsValidCodePage
GetTempPathW
CreateProcessW
Sleep
Number of PE resources by type
RT_STRING 13
RT_ICON 1
RT_VERSION 1
RT_GROUP_ICON 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 5
GERMAN 1
CHINESE TRADITIONAL 1
CZECH DEFAULT 1
FRENCH 1
CHINESE SIMPLIFIED 1
PORTUGUESE BRAZILIAN 1
JAPANESE DEFAULT 1
SPANISH MODERN 1
DUTCH 1
RUSSIAN 1
KOREAN 1
ITALIAN 1
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
5.1

LinkerVersion
12.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.0.220.1

UninitializedDataSize
0

LanguageCode
Neutral

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
137216

EntryPoint
0x373ee

MIMEType
application/octet-stream

LegalCopyright
WinZip Computing

FileVersion
1.0.220.1

TimeStamp
2015:12:28 02:58:03+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
WZDLMCore.exe

ProductVersion
1.0.220.1

FileDescription
WinZip

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
WinZip Computing, S.L.

CodeSize
361984

ProductName
WinZip

ProductVersionNumber
1.0.220.1

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
File identification
MD5 18b8a7ea36ca80b04fe34ad5bcacb276
SHA1 ab3c64630e19c7c4bc1752baf078fa553486bc1c
SHA256 a7ef1fe8196ee0391959c921d23e90483ca6a7e4495c9255046849223a7c7bee
ssdeep
12288:1zvZkpxJWKe7rHkj+bF/2kS7d9PuaIYNVbrzWLjB/LaIRNNEF8yqx4vRjQUj:J4e7rHjhS7TFprzWzEF8y9Zj9j

authentihash 82080e6c8ea6906b1cb255c60923c89a40fa53998743f0a29a7611e225840d1f
imphash d78aa8d24e7e6935a2c7052bb83a179e
File size 689.5 KB ( 706032 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.4%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2016-01-14 23:22:05 UTC ( 2 years, 1 month ago )
Last submission 2017-10-05 06:59:51 UTC ( 4 months, 2 weeks ago )
File names winzip20-home.exe
winzip20-home (1).exe
winzip20 - Double-cliquez pour installer.exe
winzip20-home.exe
winzip20-home.exe
winzip20-home.exe
bb5eb3a0cf5ae098728645459957e6f3378e0112
winzip20-home (2).exe
winzip20-home.exe
winzip20-home (v20.5).exe
WZDLMCore.exe
output.90413860.txt
winzip20-home (3).exe
winzip20-home.exe
790004
unconfirmed 52470.crdownload
winzip20-home.exe
d391.tmp
winzip.exe
6d98.tmp
HTTP-F1Fmhlgd1zGugHRf6.txt
winzip20-home.exe
winzip20-home.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
HTTP requests
DNS requests
TCP connections
UDP communications